Meltdown and Spectre are vulnerabilities in modern processors, which allow a rogue process to read all memory which is currently processed on the computer, including passwords, documents, security credentials, and your photos. Your operating system and software may have included corresponding patches to mitigate those vulnerabilities if they are up to date. However, those patches significantly slowdown your computer.

If you have offline computers that run only trusted software, you may want to disable those patches to regain performance lost. This article will show you how to disable those patches on Linux. There is also an instruction for Windows.

Currently this article only covers the instructions to disable the Meltdown patch.

Check if Meltdown and Spectre patches are applied

Run the following command:

grep . /sys/devices/system/cpu/vulnerabilities/*

The following output means that the patches are enabled for the Meltdown and Spectre vulnerability:

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW

Disable vulnerability fixes

You can disable those patches by adding nopti boot option to kernel. Assume your Linux distribution uses grub2 as the boot manager:

Firstly modify GRUB_CMDLINE_LINUX parameter in the /etc/default/grub and append nopti boot option at the end of the line, like:

GRUB_CMDLINE_LINUX=" rhgb quiet nopti"

Then regenerate the grub config file. If your OS is booted from legacy BIOS, run:

sudo grub2-mkconfig -o /etc/grub2.cfg

Otherwise if your OS is booted from UEFI, run:

sudo grub2-mkconfig -o /etc/grub2-efi.cfg

Lastly, reboot your computer.

Verify if the patches are disabled

Rerun the following command:

grep . /sys/devices/system/cpu/vulnerabilities/*

If successful, your output should be something like: shspectre fedora /sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable

Re-enable the patches

Just remove the nopti boot option from /etc/default/grub and regenerate the grub boot config file like what we did before.

Old Posts Migrated

Posts in my old blog, which hasn't been maintained for serveral years, has been successfully migrated to this new room!… Continue reading